Over the weekend the drummer in my band “The Brushed Keys” ( https://www.youtube.com/watch?v=WU-U7SBPF5Y&list=PLQA4w1oo2uGQGxKTzvzcJaPcNSj8SL8pp ) had finally taken the plunge and attempted the Windows XP Service Pack 3 upgrade, only about 6 years late.
However it all went wrong when the machine would no longer startup, going to a permanent black screen with mouse cursor after the XP logo. This occurred in all the Safe modes, and also Last Known Good Configuration.
Using a Windows PE boot disk I had on hand, with diagnostic utilities, I first used an offline event viewer Event Log Explorer to check the last Windows events, opening the .evt files in c:\windows\system32\config ( http://www.eventlogxp.com/ ) This tool is particularly useful in XP environments .EVT files cannot be opened by event viewer if copied off a machine, they must be exported first. Windows Vista and later EVTX files do not suffer this problem.
From the application log we could see WinLogon.exe was crashing, but there was no fault information i.e. exception code, faulting module, etc. In addition Dr Watson logs were not generated. Without a firewire/serial cable on hand I didn’t have much diagnostic info, so decided to just revert the XP Service Pack 3 upgrade.
On the C: drive I could see System Restore was enabled, but in Windows XP you cannot use System Restore until you actually boot into the system, (Or you have a specific boot disk to handle offline XP system restore, I hadn’t used in 5 years or more so no idea where that was)
To do this, I booted into Windows PE. (but you could use Windows XP recovery console) and did the following:
1) Made a backup of C:\Windows\System32\Config folder
2) Browsed C:\System Volume Information\_restore<GUID>\RPxxx (I chose the oldest one)\snapshot folder (Note these are Hidden System Folder)
3) Copied the following files to Config folder, and renamed them taking of the _REGISTRY_MACHINE_ prefix, replacing the existing files.
4) This was probably not necessary but I also restored the user’s ntuser.dat (Also made a backup of it before replacing)
_REGISTRY_USER_USERCLASS_<SID> to C:\Documents and Settings\<User Profile>
You can see the SID by checking permissions on user profile within Windows PE, i.e. using icacls/etc.
5) Renamed C:\windows\$NTServicePackUninstall$\spuninst.txt to spuninst.cmd and ran the batch file. This deletes the Service Pack 3 files, and copies back the backed up files before the patch was applied
Unfortunately after restarting we got error
lssass.exe – System Error
When trying to update a password, this return status indicates that the value provided
as the current password is not correct.
After this error the computer immediately rebooted.
This issue was fixed by restoring the SAM and SECURITY files from my backup, back into C:\Windows\System32\Config (If you didn’t have a backup you could try your luck the backups in c:\windows\repair folder)
After this the machine boots fine, with all the users applications intact.
I made a 5 minute video of the process on my phone, it is here on YouTube
Uninstalling Windows XP SP3 on an Unbootable PC